Looking to raise the bar on risk discussion and better integrate it to business strategy, the Committee of Sponsoring Organizations of the Treadway Commission, or COSO, has unveiled a proposed redraft of its 2004 ERM framework.
COSO even wants to rename the framework -- Enterprise Risk Management -- Aligning Risk with Strategy and Performance -- to emphasize a new approach to managing new and existing risks in a way that better integrates the dialogue about risk into business planning.
“We wanted to create a more robust focus on risk in the strategic planning process,” says Dennis Chesley, a PwC partner and lead partner for the ERM framework revision effort. That includes looking at the risk of a company’s strategy, the risk from the strategy, and the risk to strategy, he says. “In 2004, the framework largely talked about risk related to strategic objectives. Now it’s saying there’s a strategic planning process where risk could add value.”
COSO’s Internal Control -- Integrated Framework is used by U.S. companies to achieve compliance with Sarbanes-Oxley internal control reporting requirements. COSO updated that framework in 2013, setting companies on a course to refresh their internal control environments to adopt the new framework. The Securities and Exchange Commission does not explicitly require companies to adopt the COSO framework, but it requires companies to follow a suitable framework.
The ERM framework is not explicitly required by any regulatory body for any particular compliance or reporting requirement, but COSO says it is used widely by companies around the world to improve their ability to manage uncertainty, gauge risk, and increase value. Since the framework was first introduced in 2004, the risk landscape has changed, commanding an update, COSO said.
“We hope companies are interested in this because they’re all trying to do the same thing, which is to improve performance,” says Bob Hirth, chairman of COSO. “This is incremental. Many organizations are doing a great job. This helps an organization improve upon what they are already doing.”
The revised framework is built on five major components of effective enterprise risk management, each supported by a total of 23 principles. “That creates the criteria,” says Hirth. “Hopefully people will see it as objective, verifiable criteria to allow someone to determine they have effective ERM.”
The proposed revision also provides some new definitions for companies to ponder around risk, risk capacity, and risk appetite. “There’s a much stronger link to decision making,” in the revised framework, says Hirth. “As organizations make decisions, they do it with some degree of uncertainty, so this gets the ERM mindset into the process.”
The revised framework will be available for public comment through Sept. 30, after which COSO will consider the comments and make any changes to produce the final framework. COSO is anticipating up to 10,000 comments on the proposal, Hirth says.